libfreerdp-crypto: add robustness checks for VerifyX509Certificate

2013-11-25 12:08:58 -05:00 · 2013-11-25 12:08:58 -05:00 · 4987f2b0e1
commit 4987f2b0e1
parent 128fb72ec6
1 changed files with 30 additions and 1 deletions
--- a/libfreerdp/crypto/tls.c
+++ b/libfreerdp/crypto/tls.c
@ -596,14 +596,33 @@ BOOL tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname)
 		 */

 		bio = BIO_new(BIO_s_mem());
+		
+		if (!bio)
+		{
+			fprintf(stderr, "tls_verify_certificate: BIO_new() failure\n");
+			return FALSE;
+		}

 		status = PEM_write_bio_X509(bio, cert->px509);

+		if (status < 0)
+		{
+			fprintf(stderr, "tls_verify_certificate: PEM_write_bio_X509 failure: %d\n", status);
+			return FALSE;
+		}
+		
 		offset = 0;
 		length = 2048;
 		pemCert = (BYTE*) malloc(length + 1);

 		status = BIO_read(bio, pemCert, length);
+		
+		if (status < 0)
+		{
+			fprintf(stderr, "tls_verify_certificate: failed to read certificate\n");
+			return FALSE;
+		}
+		
 		offset += status;

 		while (offset >= length)
@ -619,17 +638,27 @@ BOOL tls_verify_certificate(rdpTls* tls, CryptoCert cert, char* hostname)
 			offset += status;
 		}

+		if (status < 0)
+		{
+			fprintf(stderr, "tls_verify_certificate: failed to read certificate\n");
+			return FALSE;
+		}
+		
 		length = offset;
 		pemCert[length] = '\0';

 		status = -1;
-
+		
 		if (instance->VerifyX509Certificate)
 		{
 			status = instance->VerifyX509Certificate(instance, pemCert, length, 0);
 		}
+		
+		fprintf(stderr, "VerifyX509Certificate: (length = %d) status: %d\n%s\n",
+			length, status, pemCert);

 		free(pemCert);
+		BIO_free(bio);

 		return (status < 0) ? FALSE : TRUE;
 	}